The reason BYOD (bring your own device) causes concern for IT managers is it equates to a wider base of devices gaining access to network resource, often devices outside of the IT department’s control. We know that employees are frequently requesting to be able to use their own devices for work, and the practice is already commonplace. But what are the risks and how can IT managers implement BYOD securely?
In a recent piece of IS Decisions research, we asked 250 UK IT managers about their primary security concerns, and BYOD was not far up the list – it was eighth out of 10 options. However, data loss was, second only to viruses, and it is loss of data that is the real concern when it comes to BYOD. Particularly considering the danger of these unsecured devices potentially getting lost or stolen, or otherwise ending up in the wrong hands.
How do you create a secure environment in which users are able to use multiple devices of their own choosing? Is it possible for IT managers to mitigate the risks of losing data when users are using a plethora of devices?
Here are a few steps to achieving this goal – with a particular focus on Windows network infrastructures.
1. Limit or prevent concurrent logins
This is your first line of defence in BYOD security. If you only allow one login using the same credentials at a time, you can be more sure that whoever is gaining network access, via whatever device, is the owner of those credentials. If a device is lost or stolen, then even before the owner is aware no one can gain network access using their credentials as long as they are logged in elsewhere. More on limiting concurrent logins on a Windows Network.
2. Limit working hours or session times
Automatically logging off users after a set period or at a set time is another essential way to limit the risks that come with BYOD. If a device goes missing whilst it is logged in, again if the loss is unnoticed the system will automatically log the user out. More on restricting and enforcing user logon time.
3. Limit access according to device
Achieving this requires a strict policy and access to your users’ devices, but it is the most direct way to reduce the vulnerable network surface area. By tracking the devices your employees wish to use to access network resources, and limited each user’s access to those set devices, you are significantly reducing the risk of any potentially harmful intrusions. More on access restrictions for PC, laptop or tablet.
4. Keep a detailed log of registered devices
Once you have started tracking and registering devices for access to the network, it is important that you keep this up to date with specific details so you know which users and credentials relate to which device. This will come in particularly useful for instance when employees cease working with the organisation to ensure you do not continue to allow access from their devices. This may also involve working closely with your HR department, to ensure they notify you when terminations occur.
5. Have a strict BYOD security policy
This might seem obvious, but the IS Decisions research found that 29% of IT professionals do not have any kind of security policy for their organisation, let alone one that is specific to BYOD. If you are going to impose the necessary restrictions to create a secure working environment in which employees are able to use their own devices, you need to make those restrictions, and the reasons behind them, absolutely clear. This means documenting them in your security policy, but also using software to consistently remind users of what that policy is at relevant and opportune times using custom alerts. Be clear about what your policy is looking to prevent, and even mention contractual or legal implications of attempting to circumvent the policy to highlight the severity of it.
6. Monitor and respond to suspicious behaviour
Once you have all the above in place make sure you have the ability to monitor access to the network in real time. By doing this you can understand what suspicious behavior looks like, be that log ins from new devices or at odd times, and respond. By responding quickly to suspicious behavior you are not only reducing the risk, you are helping educate users on the potential problems.
There are many benefits to implementing BYOD within a business. Most IT managers and CIOs will have experienced their employees asking to be able to use their own mobiles, tablets or laptops at some point, but it is not just about bowing to user pressure. Allowing for multiple devices to gain network access leads to a more flexible working model, and ultimately greater productivity. It is simply that the right security measures must be in place in order for this to happen, and hopefully if your business follows these steps that is entirely possible.
This article originally appeared in Risk UK: The journal of risk management, loss prevention and business continuity.
With BYOD quickly becoming the rule rather the exception, native Windows Server functionality does not provide adequate means to secure user access from personal devices. UserLock alleviates this increased risk to corporate security by empowering IT to track, record and automatically block all inappropriate or suspicious sessions, including Wi-Fi or IIS.